This section describes issues with the security software in the Oracle Solaris 11.4 release.
The sxadm command in Oracle Solaris 11.4 uses the HW_BTI security extension to provide the status of hardware-based mitigation for CVE-2017-5715 (Branch Target Injection, Spectre Variant 2) in the SPARC firmware. For more information, see the sxadm(8) man page.
In order for sxadm to determine whether this mitigation is enabled, the firmware must be updated to a version that communicates this status to the operating system. If the firmware is not updated, then sxadm reports that HW_BTI is not supported, even if HW_BTI is enabled.
The following table shows the minimum firmware version that supports the HW_BTI security extension. For the given platform, make sure you are running the specified firmware version or newer.
For more information about SPARC mitigations for CVE-2017-5715, see “Oracle Solaris on SPARC — CVE-2017-5753 (Spectre v1), CVE-2017-5715 (Spectre v2), and CVE-2017-5754 (Meltdown) Vulnerabilities (Doc ID 2349278.1)” on support.oracle.com.
The ktkt_warn service, used to renew a user's Kerberos credentials and warn about credential expiry, is now disabled by default. The following error message is displayed:
kinit: no ktkt_warnd warning possible
Workaround: Choose one of the following workarounds to enable the service:
If the system already has Kerberos configured, use the svcadm command to enable the service.
# svcadm enable ktkt_warn
If Kerberos has not been configured, run the kclient utility to configure Kerberos, which will also enable the ktkt_warn service.
For more information about the kclient utility, see the kclient(8) man page.
If you have made manual modifications to the LDAP configuration files /etc/openldap/ldap.conf and /etc/openldap/slapd.conf, the security settings for the TLS cipher suite might be incorrect.
Workaround: If you maintain your own LDAP configuration files, make the following modifications to maintain a secure system:
In the /etc/openldap/ldap.conf file, set the TLS_PROTOCOL_MIN and TLS_CIPHER_SUITE values as follows:
TLS_PROTOCOL_MIN 3.2 TLS_CIPHER_SUITE TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
In the /etc/openldap/slapd.conf, set the TLSProtocolMin and TLSCipherSuite values as follows:
TLSProtocolMin 770 TLSCipherSuite TLSv1.2:!aNULL:!eNULL:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA
By default, ssh-dss keys are disabled. You must remove the existing ssh-dss keys from the authorized_keys files and configure the new ssh-rsa keys. Otherwise, you might not be able to connect to the server after the server has been upgraded to Oracle Solaris 11.4.
By default, the diffie-hellman-group1-sha1 key exchange method is disabled. Only peers that support this method should be upgraded to support a secure key exchange method.